topic C&amp;C threat from outside 45.9.148.91 similar Shodan Malware hunter ? in General Topics https://live.paloaltonetworks.com/t5/general-topics/c-amp-c-threat-from-outside-45-9-148-91-similar-shodan-malware/m-p/336604#M84800 <P>Hi Live community,</P><P>recently when investigating a false positive C&amp;C threat blocked from "shodan malware hunter" I was pleased to see others had posted into this community about this. In the past 24 hrs we have 2 SIEM alerts for C&amp;C outside to publically presented hosts from 45.9.148.91.&nbsp;Anyone else seeing this behaviour ?</P><P>PAN did reset both but I am considering a block rule, but of course the src IP could change at any time.</P><P>IP is on some blacklists:</P><P><STRONG>xbl.spamhaus.org</STRONG><SPAN>&nbsp;</SPAN><SPAN>has</SPAN><SPAN>&nbsp;blacklisted this IP.</SPAN><BR /><STRONG>zen.spamhaus.org</STRONG><SPAN>&nbsp;</SPAN><SPAN>has</SPAN><SPAN>&nbsp;blacklisted this IP.</SPAN></P><P>and appears to slowly, be carrying out reconnaissance on our public IP space.</P><P>&nbsp;</P><P>KR,</P><P>Lee</P><P>&nbsp;</P> Sat, 04 Jul 2020 16:15:55 GMT LeeFrancis2 2020-07-04T16:15:55Z C&C threat from outside 45.9.148.91 similar Shodan Malware hunter ? https://live.paloaltonetworks.com/t5/general-topics/c-amp-c-threat-from-outside-45-9-148-91-similar-shodan-malware/m-p/336604#M84800 <P>Hi Live community,</P><P>recently when investigating a false positive C&amp;C threat blocked from "shodan malware hunter" I was pleased to see others had posted into this community about this. In the past 24 hrs we have 2 SIEM alerts for C&amp;C outside to publically presented hosts from 45.9.148.91.&nbsp;Anyone else seeing this behaviour ?</P><P>PAN did reset both but I am considering a block rule, but of course the src IP could change at any time.</P><P>IP is on some blacklists:</P><P><STRONG>xbl.spamhaus.org</STRONG><SPAN>&nbsp;</SPAN><SPAN>has</SPAN><SPAN>&nbsp;blacklisted this IP.</SPAN><BR /><STRONG>zen.spamhaus.org</STRONG><SPAN>&nbsp;</SPAN><SPAN>has</SPAN><SPAN>&nbsp;blacklisted this IP.</SPAN></P><P>and appears to slowly, be carrying out reconnaissance on our public IP space.</P><P>&nbsp;</P><P>KR,</P><P>Lee</P><P>&nbsp;</P> Sat, 04 Jul 2020 16:15:55 GMT https://live.paloaltonetworks.com/t5/general-topics/c-amp-c-threat-from-outside-45-9-148-91-similar-shodan-malware/m-p/336604#M84800 LeeFrancis2 2020-07-04T16:15:55Z Re: C&C threat from outside 45.9.148.91 similar Shodan Malware hunter ? https://live.paloaltonetworks.com/t5/general-topics/c-amp-c-threat-from-outside-45-9-148-91-similar-shodan-malware/m-p/336761#M84874 <P>Hello,</P> <P>I try to keep things dynamic and self learning. Meaning I stay away from IP's since they change too fast. Since a EBL has it, i say let it run with it. Also I would enable sending telemetry back to Palo Alto so they can update their definitions so we dont have to :).</P> <P>&nbsp;</P> <P>Hope that makes sense.</P> Mon, 06 Jul 2020 20:53:44 GMT https://live.paloaltonetworks.com/t5/general-topics/c-amp-c-threat-from-outside-45-9-148-91-similar-shodan-malware/m-p/336761#M84874 OtakarKlier 2020-07-06T20:53:44Z